英文部分及圖片來自“經濟學人”雜志。譯文是個人學習、欣賞語言之用,謝絕轉載或用于任何商業用途。本人同意簡書平臺在接獲有關著作權人的通知后,刪除文章。
Computers will never be secure. To manage the risks, look to economics rather than technology.
計算機安全永遠不會實現。控制風險需要尋找經濟手段而不是技術解決方案。
COMPUTER security is a contradiction in terms. Consider the past year alone: cyber thieves stole $81m from the central bank of Bangladesh; the $4.8bn takeover of Yahoo, an internet firm, by Verizon, a telecoms firm, was nearly derailed by two enormous data breaches; and Russian hackers interfered in the American presidential election.
計算機安全這個說法自相矛盾。僅僅考慮過去的一年:網絡大盜從孟加拉中央銀行竊取了8100萬美元; 電信公司威瑞森(Verizon) 和它48億美元收購的互聯網公司雅虎幾乎被兩次數據大泄露打翻在地(此句翻譯錯誤,感謝@sucher指正。評論區有正解); 俄羅斯黑客干涉美國總統大選。
Away from the headlines, a black market in computerised extortion, hacking-for-hire and stolen digital goods is booming.The problem is about to get worse. Computers increasingly deal not just with abstract data like credit-card details and databases, but also with the real world of physical objects and vulnerable human bodies. A modern car is a computer on wheels; an aeroplane is a computer with wings. The arrival of the “Internet of Things” will see computers baked into everything from road signs and MRI scanners to prosthetics and insulin pumps. There is little evidence that these gadgets will beany more trustworthy than their desktop counterparts. Hackers have already proved that they can take remote control of connected cars and pacemakers.
除了那些頭條新聞,計算機勒索黑市,黑客雇傭以及數字商品被盜情況正在快速發展。問題將越來越糟。計算機不僅能越來越多地處理諸如信用卡詳細資料和數據庫之類的抽象數據,也能應對實物和脆弱人體構成的真實世界。現代化的汽車是輪上電腦;飛機則是插上翅膀的計算機。 “物聯網”的到來將使電腦融入到一切事物之中。從道路標志到核磁共振成像掃描儀,從假肢到胰島素泵。沒有證據表明這些數字裝備比臺式電腦更值得信賴。黑客們已經證明,他們可以對聯網汽車和起搏器進行遠程控制。
It is tempting to believe that the security problem can be solved with yet more technical wizardry and a call for heightened vigilance. And it is certainly true that many firms still fail to take security seriously enough. That requires a kind of cultivated paranoia which does not come naturally to non-tech firms. Companies of all stripes should embrace initiatives like“bug bounty” programmes, whereby firms reward ethical hackers for discovering flaws so that they can be fixed before they are taken advantage of.
人們傾向于相信安全問題可以用更多的技術魔法來解決,并呼吁大家要提高警惕。誠然,很多企業還沒有認認真真地對待計算機安全。這就需要培養出某種偏執狂,對非技術性企業來說這可不是理所當然的事。大大小小的公司都應該參加“賞金獵人”計劃。企業承諾獎勵那些發現計算機漏洞的白帽子黑客,并在這些漏洞被別人利用之前給予修復。
But there is no way to make computers completely safe. Software is hugely complex. Across its products, Google must manage around 2bn lines of source code—errors are inevitable.The average program has 14 separate vulnerabilities, each of them a potential point of illicit entry.Such weaknesses are compounded by the history of the internet, in which security was an afterthought.
但計算機安全實在難以完全實現。軟件非常復雜。 在其產品中,谷歌必須管理大約20億行源代碼 - 錯漏在所難免。一個普通的程序平均來說有14個獨立的漏洞,每個漏洞都是非法進入的潛在入口。而互聯網的歷史使得這些弱點更加棘手。安全問題歷來都是馬后炮。
Leaving the windows open
讓窗戶開著
This is not a counsel of despair. The risk from fraud, car accidents and the weather can never be eliminated completely either.But societies have developed ways of managing such risk—from government regulation to the use of legal liability and insurance to create incentives for safer behaviour.
這并非絕望的忠告。欺詐,車禍和天氣變化的風險同樣永遠不會被完全消除。但是社會已經開發出控制風險的辦法 - 從政府監管到法律義務和保險手段的運用等,以便創造更安全行為的鞭策措施。
Start with regulation. Governments’ first priority is to refrain from making the situation worse. Terrorist attacks, like the recent ones in St Petersburg and London, often spark calls for encryption to be weakened so that the security services can better monitor what individuals are up to. But it is impossible to weaken encryption for terrorists alone. The same protection that guards messaging programs like WhatsApp also guards bank transactions and online identities. Computer security is best served by encryption that is strong for everyone.
首個重點是政府監管。政府的首要任務是避免情況變得更糟。像近期發生在圣彼得堡和倫敦的襲擊一樣,這些恐怖行徑經常會引發削弱加密保護的呼吁,這樣安全部門就能夠更好地監控個人的行動。但是,僅僅因為恐怖分子的原因就削弱加密保護是不可能的。為WhatsApp信息傳遞程序提供安全保護的方法也同樣保護著銀行交易系統和在線身份的安全。加密是計算機安全的最好方法。對所有人它都同樣強大。
The next priority is setting basic product regulations. A lack of expertise will always hamper the ability of users of computers to protect themselves. So governments should promote “public health” for computing. They could insist that internet connected gizmos be updated with fixes when flaws are found. They could force users to change default usernames and passwords. Reporting laws, already in force in some American states, can oblige companies to disclose when they or their products are hacked. That encourages them to fix a problem instead of burying it.
下一個重點是設定基本產品規定。缺乏專業知識總是阻礙著計算機用戶自我保護的能力。所以政府應該推廣計算機的“公共衛生”。他們可以堅持聯網設備在發現缺陷時提供補丁來更新修復程序。他們可以強制用戶更改默認用戶名和密碼。在美國一些州已經生效的匯報法強制要求公司披露公司或產品遭到黑客入侵的情況。這鼓勵他們解決問題而不是加以掩蓋。
Go a bit slower and fix things
慢一點,解決問題
But setting minimum standards still gets you only so far. Users’ failure to protect themselves is just one instance of the general problem with computer security—that the incentives to take it seriously are too weak. Often, the harm from hackers is not to the owner of a compromised device. Think of bot nets, networks of computers, from desktops to routers to “smart” lightbulbs, that are infected with malware and attack other targets.
但是設定最低標準仍然不能帶給你更多效果。用戶未能保護好自己只是計算機普遍安全問題中的一個例子 - 認真應對的動機嚴重不足。通常,黑客傷害的不是受損設備的所有者。想象一下僵尸網絡,計算機網絡,從臺式機到路由器再到“智能”燈泡,它們被惡意軟件感染并攻擊其他目標。
Most important, the software industry has for decades disclaimed liability for the harm when its products go wrong.Such an approach has its benefits. Silicon Valley’s fruitful “go fast and break things” style of innovation is possible only if firms have relatively free rein to put out new products while they still need perfecting. But this point will soon be moot. As computers spread to products covered by established liability arrangements, such as cars or domestic goods, the industry’s disclaimers will increasingly butt up against existing laws.
最重要的是,幾十年來,軟件行業在產品出現問題時,拒絕承擔損害責任。這種方法有其優點。企業有權在產品尚不完美的情況下相對自由地推出新產品,只有這樣硅谷才能結出累累碩果,形成“快速前行,打破常規”的創新風格。但這一點很快會失去意義。隨著計算機擴展到既有責任安排所涵蓋的產品,比如汽車或家用物品等,行業的免責聲明將越來越多地與現行法律產生沖突。
Firms should recognise that, if the courts do not force the liability issue, public opinion will. Many computer-security experts draw comparisons to the American car industry in the 1960s, which had ignored safety for decades. In 1965 Ralph Nader published “Unsafe at Any Speed”, a bestselling book that exposed and excoriated the industry’s lax attitude. The following year the government came down hard with rules on seatbelts, headrests and the like. Now imagine the clamour for legislation after the first child fatality involving self-driving cars.
這些公司應當認識到,如果法院不推動責任問題的明確,輿論也會迎難而上。許多計算機安全專家將之與20世紀60年代的美國汽車行業安全問題相提并論。曾經有幾十年汽車行業一直對安全問題視而不見。1965年,拉爾夫·納德(Ralph Nader)出版了一本暢銷書《任何速度都不安全》,披露并強烈譴責了汽車行業不嚴謹的態度。第二年,政府就嚴格落實了安全帶,頭枕等方面的規定。現在我們無法想象假如由于自動駕駛的原因,造成首個兒童死亡,呼吁相關立法的聲音有多大。
Fortunately, the small but growing market in cyber-security insurance offers a way to protect consumers while preserving the computing industry’s ability to innovate. A firm whose products do not work properly, or are repeatedly hacked, will find its premiums rising, prodding it to solve the problem. A firm that takes reasonable steps to make things safe, but which is compromised nevertheless, will have recourse to an insurance payout that will stop it from going bankrupt. It is here that some carve-outs from liability could perhaps be negotiated. Once again, there are precedents: when excessive claims against American light-aircraft firms threatened to bankrupt the industry in the 1980s, the government changed the law,limiting their liability for old products.
幸運的是,現在雖然較小卻在不斷增長的網絡安全保險市場提供了一種既能保護消費者同時又能保持計算機行業創新能力的方法。如果產品無法正常工作,或者企業反復被黑客入侵,他們的保費將上漲,這樣可以促成問題的解決。一個公司采取了合理的步驟,試圖使產品變得安全,假如最終還是帶來了損害,這時公司就可以使用求授權,要求保險賠付以避免破產。這樣,也或許可以開始債務責任的談判。同樣有一些先例可供參考:20世紀80年代,當美國輕型飛機公司接到過多索賠要求甚至威脅到行業破產時,政府修改了規定,限制其為老產品承擔責任。
One reason computer security is so bad today is that few people were taking it seriously yesterday. When the internet was new, that was forgivable. Now that the consequences are known, and the risks posed by bugs and hacking are large and growing, there is no excuse for repeating the mistake. But changing attitudes and behaviour will require economic tools,not just technical ones.
現在計算機安全如此糟糕的原因之一是以前沒有引起足夠的重視。當互聯網剛出現時,這是可以原諒的。既然已知后果如此不堪,缺陷和黑客造成的風險又越來越嚴重,那么就沒有任何借口再重復這樣的錯誤。不過,改變態度和行為需要經濟手段,而不僅僅是技術手段。
